Some dating websites do not remove GPS data from photos, CU-Boulder students find

While the majority of dating websites do a good job of managing the privacy of their users, a class research project at the University of Colorado Boulder’s Leeds School of Business found that 21 of 90 dating websites the class examined did not properly remove location data from pictures uploaded by their users.

As a result of people taking more photographs with cameras and cell phones containing Global Positioning System chips, some dating website profile pictures contain GPS coordinates showing where a picture was taken, said Associate Professor Kai Larsen, who taught the class on Privacy in the Age of Facebook. When such information is not removed by the dating website, commonly available tools can be used to detect the location of a person’s residence or other locations frequented by the user.

This gap in privacy protection leaves women users especially vulnerable to online predators, the CU-Boulder student researchers said. Users of dating websites share a plethora of private details but generally will not share their addresses or real names unless a stronger relationship develops through multiple online and offline interactions.

The largest dating sites, such as Match.com and PlentyofFish.com, were found to remove location metadata from user profile pictures. But 23 percent of the 90 websites were found to leave metadata attached to the profile photo. All of these specialized dating sites were based on such attributes as age, disability, hobby or religion.

Twelve of the 21 websites were run by a single Canadian company, SuccessfulMatch.com. According to the SuccessfulMatch website, the company runs 24 dating websites on the same platform, 12 of which were not examined as part of the research project.

“While we were pleased to see such a high level of responsible behavior by online dating companies, an online predator would require no more than one website to act irresponsibly,” Larsen said. “The fact that we found more than 20 websites that do not carefully maintain user privacy is cause for concern, in that individual users are left to maintain their own privacy by carefully confirming that any uploaded picture does not contain GPS coordinates.”

Metadata is “a set of data that describes and gives information about other data,” Larsen said. Such information that can be derived from online photos includes camera type, date of capture, whether the picture has been altered and GPS coordinates of where the photo was taken.

Dating websites have the ability to “scrub” or eliminate such metadata from their member photos and most do because misuse of the information could compromise the safety of their users, Larsen said.

The research method of the study included the creation of user profiles of two individuals, the personal information of which was fabricated except for the photos, which contained location information and other metadata, Larsen said. The photo uploaded by one user then was downloaded by the other user and the existence of the location information confirmed.

The websites found not to remove location metadata were contacted on Dec. 29, 2011, and the Leeds School team has since worked with several of those dating website companies to ensure that location metadata is removed before the survey results were publicly announced.

“It was clear that some companies did not know about this issue,” Larsen said. “The feedback ranged from appreciative to reluctantly removing the metadata to no response.” Several of the companies immediately reported that they were taking action to resolve the issue, including SuccessfulMatch and the companies behind CatholicSingles, DeafSinglesMeet and MeetingMillionaires.

A company that tracks online consumer behavior, Experian Hitwise, recently listed more than 1,100 websites in its “lifestyle dating” category.

“Technology is so important today and many companies deal with very private data,” Larsen said. “Company decisions about how to deal with data privacy can affect their valuation.”

The information management class was offered jointly by the Leeds School’s Division of Management and Center for Education on Social Responsibility.

Dating websites that did not remove location metadata from photographs during the 2011 fall semester class’s research period were the following:

Quotes

“While we were pleased to see such a high level of responsible behavior by online dating companies, an online predator would require no more than one website to act irresponsibly,” said Associate Professor Kai Larsen of the Leeds School of Business. “The fact that we found more than 20 websites that do not carefully maintain user privacy is cause for concern, in that individual users are left to maintain their own privacy by carefully confirming that any uploaded picture does not contain GPS coordinates.”